If you have a wildcard, you can use the same for ClearPass and the AP; if I'm correct that's also what I have done in the video.
For ClearPass, you indeed need to have a DNS entry, which can be in a (local) DNS server which is accessible from the guest network (or networks where you use the captive portal from); but putting it in public DNS, indeed with an RFC1918 private IP, that is more reliable as some devices (I've seen iPhones doing that) seem to use a public DNS server or do the DNS resolution even via the cellular network.
The AP will 'spoof' it's IP when it sees a DNS request for the first SAN of your installed certificate (or captiveportal-login.* for a wildcard cert) through the AP/controller.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 15, 2024 08:46 AM
From: Razovnyik
Subject: Clearpass Guest Access certificate error
So I have to request a Public Certificate which has the FQDN of the Clearpass server in the SAN field, okay its not a proiblem because I have a wildcard cert.
And I should create a public DNS record which points to an internal (RFC1918) ip address? Or how will the client know the address of the Clearpass server?
The same is the case with the AP.
Thank Herman!!
Original Message:
Sent: 7/15/2024 8:14:00 AM
From: Herman Robers
Subject: RE: Clearpass Guest Access certificate error
Check this video series, most relevant Installing the HTTPS certificate on ClearPass, and the Guest section.
Certificate matching these days works based on the SAN, no longer on the CN, but normally when you request a web server certificate on FQDN the first SAN is set to the CN.
Because the SAN is set to a FQDN, it's no problem if the ClearPass server is on an internal (private) IP address, as long as you can map a public DNS name (FQDN) to that private IP.
You will need a certificate for your ClearPass and one for the AP or controller; which is explained in those videos.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 15, 2024 03:55 AM
From: Razovnyik
Subject: Clearpass Guest Access certificate error
Hello Everyone!
We have deployed a Clearpass Guest access, with sponsor approval, everything works smoothly, apart from one major issue, the Portal is not trusted by the Guests.
How can we make the portal trusted for the Guests?
Where should we upload a public cert, to the AP which serves the SSID?
And what should that CERT contain in the CN? I mean the portal is on Clearpass server which has an internal address.
What is the best practice?
Thanks in advance,
Mate